How to visualize RADIUS connections

by parsing Windows Server log files

Note: This tutorial is working for Windows Server 2003 to 2012R2 with NPS installed. It's not currently working with freeradius

After finishing this tutorial you'll have a live graph of your RADIUS connections and see which users are having troubles connecting.
Dashboard

Security

Before we begin keep in mind that none of the servers or services I'm describing should be available from the internet. This should only be implemented in a LAN environment because the traffic will be unencrypted. Don't install the database or the dashboard on a device that is accessible through the internet.

What we'll need

Windows Server 2003 to 2012R2 (didn't test it on 2016 yet) with NPS enabled and acting as RADIUS Server for some Access Points

Installing

Changing the config

Since we want the best performance we'll send our RADIUS data over UDP. To enable this edit the influxDB config file nano /etc/influxdb/influxdb.conf and replace the [[udp]] config with these lines:

[[udp]]
enabled = true
bind-address = ":8090"
database = "radius"
batch-size = 5000 # will flush if this many points get buffered
batch-timeout = "1s" # will flush at least this often even if the batch-size is not reached
batch-pending = 10 # number of batches that may be pending in memory
read-buffer = 0 # UDP read buffer size, 0 means to use OS default

Restarting InfluxDB

service influxdb restart

After restarting influxDB the "radius" database will automatically be created and linked to the UDP Port 8090

What do these things mean?

IMPORT_OLD (bool)

If set to true, you can import old log files. The parser will exit after importing all. If you do this more than once you'll have double entries. Also keep in mind that these log files are around 100MB per month and parsing them might use very much memory on your influxDB box! I imported data from 2011 to 2015 and it used about 16gigs while importing.

If set to false the parser will parse the current log file only and wait for it to change and parse again. This means the script will run until you kill it. You might want to consider creating a system service that starts this script automatically. There are tools for that

USERADIUSTIME (bool)

If set to true, the script will parse the time from the logfiles and put them into influxDB. It's recommended since otherwise you might have wrong dates

If set to false it will insert the data with the current server time

PATH (string)

Is the path to your log files. This should only be changed if you are testing the script for testing

DB* (string/int)

DBNAME, DBIP and DBPORT are the settings on which InfluxDB to connect. These settings should be set acordingly to the /etc/influxdb/influxdb.conf file and point to the IP of the influxDB server.

ONLYNEWDATA (bool)

If set to true, the script will create a text file where it stores the last timestamp it sent to the database. This is useful because it prevents double data insertion when you start the script twice

If set to false it will parse the whole file and put it in the database even if this file has already been parsed before

Should be working now!

If you start the script on the server (with php installed) it should parse and fill your database. You can confirm this by pointing your browser to http://ip.of.your.influxdb.box:8083, selecting the "radius" database in the top right corner and using a query like: